[SOLVED] SSH issue with exchange key only on the host

B

Bambusa29

New Member
Mar 30, 2023
7
0
1
Hi all,

I use OpenSSH agent (with WSL2) for my SSH connections. I have a issue only with the proxmox host, all is fine with VM, LXC and my two NAS.
I use the same method and same config (sshd_config, firewall rules...) for all the connections.
My keys and passphrase are stored in KeePassXC.
I have verified all the perms for the client and served side.

I have also an password acces with rsync over ssh from my NAS to proxmox (another user is used) and all is fine.

Here the debug in proxmox syslog :

Code: 
2023-11-27T10:49:58.877662+01:00 proxmox1 sshd[2024402]: debug1: userauth_pubkey: publickey test pkalg ssh-ed25519 pkblob ED25519 SHA256:HBD7awvn6GYW0f1lti1D8neCdTr2Bzn5hwzssCWHBdA [preauth]
2023-11-27T10:49:58.877704+01:00 proxmox1 sshd[2024402]: debug1: temporarily_use_uid: 1000/1000 (e=0/0)
2023-11-27T10:49:58.877916+01:00 proxmox1 sshd[2024402]: debug1: trying public key file /home/yannick/.ssh/authorized_keys
2023-11-27T10:49:58.877962+01:00 proxmox1 sshd[2024402]: debug1: fd 5 clearing O_NONBLOCK
2023-11-27T10:49:58.878028+01:00 proxmox1 sshd[2024402]: debug1: restore_uid: 0/0
Failed publickey for yannick from 192.168.2.5 port 57334 ssh2: ED25519 SHA256:HBD7awvn6GYW0f1lti1D8neCdTr2Bzn5hwzssCWHBdA

Here the debug client side :
Code: 
debug1: Offering public key: /home/yannick/.ssh/proxmox.pub ED25519 SHA256:HBD7awvn6GYW0f1lti1D8neCdTr2Bzn5hwzssCWHBdA explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
yannick@192.168.2.254: Permission denied (publickey).

My config file, client side :
Code: 
Host proxmox
    HostName 192.168.2.254
    User yannick
    ForwardAgent yes
    Port 1122
    IdentityFile /home/yannick/.ssh/proxmox.pub
    IdentitiesOnly yes

Reading the pub key on the server side in 'authorised_keys' seem fail but don'tknow why...
Any ideas what wong ?
 
Hello,

the IdentityFile should be the private key, so remove the ".pub".
 
  • Like
Reactions: LnxBil
MarkusF said:
Hello,

the IdentityFile should be the private key, so remove the ".pub".
Click to expand...

Hi Markus,

I use IdentityFile with a public key to select the good private key in my SSH agent, otherwise it use one by one all the key stored in the agent.

I use the same config for all my ssh and only Proxmox host ssh failed :

Code: 
Host omv1
    HostName 192.168.2.253
    User yannick
    ForwardAgent yes
    Port 1122
    IdentityFile /home/yannick/.ssh/omv1.pub
    IdentitiesOnly yes

Host omv2
    HostName 192.168.2.252
    User yannick
    ForwardAgent yes
    Port 1122
    IdentityFile /home/yannick/.ssh/omv2.pub
    IdentitiesOnly yes

Host proxmox
    HostName 192.168.2.254
    User yannick
    ForwardAgent yes
    Port 1122
    IdentityFile /home/yannick/.ssh/proxmox.pub
    IdentitiesOnly yes

Host wireguard
    HostName 192.168.3.19
    User yannick
    ForwardAgent yes
    Port 1122
    IdentityFile /home/yannick/.ssh/wireguard.pub
    IdentitiesOnly yes

Host compta
    HostName 192.168.2.55
    User yannick
    ForwardAgent yes
    Port 1122
    IdentityFile /home/yannick/.ssh/compta.pub
    IdentitiesOnly yes
   
Host gitea
    HostName 192.168.3.18
    User yannick
    ForwardAgent yes
    Port 1122
    IdentityFile /home/yannick/.ssh/gitea.pub
    IdentitiesOnly yes

Why only proxmox host failed ?
 
MarkusF said:
But it should not work with the pubic key:
https://unix.stackexchange.com/ques...ssh-config-identityfile-private-or-public-key
https://linux.die.net/man/5/ssh_config
Click to expand...
Yes it's true but with a ssh agent, you can use the public key to select a specific private key in the agent :

https://unix.stackexchange.com/ques...g-host-specific-keys-from-ssh-config-file-and
https://serverfault.com/questions/599560/use-a-specific-forwarded-key-from-ssh-agent/599565#599565
https://blog.cake.sh/2021/12/managing-multiple-ssh-keys-on-windows-with-keepassxc-and-openssh/

The trick is do not expose private key file on your computer.

I haven't any problem with this method with my VM, LXC container or with my NAS, only with the Proxmox host.
 
oh i see, you are right: It can be read in the ssh man page.

Can you see the public key when using this command?
ssh-add -l

Because your error looks similar to when i start ssh-agent and do not add the key to it.
 
Last edited:
the agent is charged automaticaly when i unlock my vault and keys deleted when my vault is locked.

I have solved my issue !!
I created omce again key pair (ed25519), copy the private and the passphrase in my vault and copy public key local and in proxmox.
I have created several time the pair key and i suspect i haved a old pub key in my .ssh local dir for the proxmox access :oops:
 
LnxBil said:
How did you do that? What software is involved there?
Click to expand...
I use the password manager KeePassXC . You can activate ssh agent integration in the options and keep secret you ssh private key.

And after for each entry you create for a ssh connexion, you can tell him add the key when unlock db and delete key when db is locked.
 
Bambusa29 said:
I use the password manager KeePassXC . You can activate ssh agent integration in the options and keep secret you ssh private key.

And after for each entry you create for a ssh connexion, you can tell him add the key when unlock db and delete key when db is locked.
Click to expand...
Thank you. that's nice. Unfortunately, I stopped using keepass years ago and went for vaultwarden. I needed fine grained control to entries. There are some projects allowing ssh-agent integration, I'll investigage.
 
LnxBil said:
Thank you. that's nice. Unfortunately, I stopped using keepass years ago and went for vaultwarden. I needed fine grained control to entries. There are some projects allowing ssh-agent integration, I'll investigage.
Click to expand...
I used selfhosted VaultWarden (great but need docker, hard install without) too before and after changing the network of my homelab, i migrate to KeePassXC (much simple to manage).
 
Bambusa29 said:
great but need docker, hard install without
Click to expand...
I don't get why people still try without ;) It's so much easier to deploy software to anything else we had all those years.

Sadly, 98% of all publicly available containers are built without security in mind, e.g. don't run in read only mode or unpriviledged users.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom